'Re: [Snort-devel] [Snort-sigs] distance, within, and negated matches'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-devel
Subject:    Re: [Snort-devel] [Snort-sigs] distance, within, and negated matches
From:       L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail ! com>
Date:       2013-05-23 19:50:20
Message-ID: CAA7Gf8umv_Kwr=Xhw=e5eu_2MPyPiRwSrvXLHQTNTk+VakR1OQ () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Hello.  Thank you Patrick for the response.  One point of clarity and one
thing that I noticed is that non-relative negated content matches seem to
*reset* the pointer so that is something to keep in mind... You should
always put non-relative negated content matches before or after your
relative content matches or it won't work as you expect!

Cheers,

Lord C.


On Sun, Jul 1, 2012 at 4:52 PM, Patrick Mullen <pmullen@sourcefire.com>wrote:

> Wow, a flash from the past.  Welcome back.
>
> Negated content matches do not move the cursor, which means any negative
> content match, no matter how many there are, is relative to the last thing
> to move the cursor, whether it be a regular content match, pcre, byte_jump,
> etc.
>
> Cheers,
>
> Patrick
>

[Attachment #5 (text/html)]

<div dir="ltr"><div>Hello.  Thank you Patrick for the response.  One point of clarity \
and one thing that I noticed is that non-relative negated content matches seem to \
*reset* the pointer so that is something to keep in mind... You should always put \
non-relative negated content matches before or after your relative content matches or \
it won&#39;t work as you expect!<br> <br></div>Cheers,<br><br>Lord C.<br></div><div \
class="gmail_extra"><br><br><div class="gmail_quote">On Sun, Jul 1, 2012 at 4:52 PM, \
Patrick Mullen <span dir="ltr">&lt;<a href="mailto:pmullen@sourcefire.com" \
target="_blank">pmullen@sourcefire.com</a>&gt;</span> wrote:<br> <blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><p>Wow, a flash from the past.  Welcome back.</p> <p>Negated \
content matches do not move the cursor, which means any negative content match, no \
matter how many there are, is relative to the last thing to move the cursor, whether \
it be a regular content match, pcre, byte_jump, etc.<br>

</p>
<p>Cheers,</p>
<p>Patrick</p>
</blockquote></div><br></div>



------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service 
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may

_______________________________________________
Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic